C:\resycled\boot.com (probems with this)

Hi

I have a problem with C:\resycled\boot.com. This same problem was posted sometime ago when this problem did not existed on my laptop.

I cannot access my C drive nor my external drive as well.

Along side this problem, I have or had problems with 'Troj/Rustok-N'. I believe it still exist on my computer.

I received C:\resycled\boot.com when trying to delete 'Troj/Rustok-N' with Malwarebytes. I have a log of this scan(full) and will post it when told to do so by the person that will be assisting me on this matter.

It is my belief, that I received these terrible problems, through something that I was once strongly against(torrents or file sharing). I am regathering that same insight I once had before.

LESSON LEARN!!

You have my honesty and I hombly ask for your expertise.

Any help to resolved these problems would be most appreciated and thanks in advance.

Last edited by fendy3 on 29th December 2008, 5:03 pm; edited 2 times in total

Hello.
Please read here and post a Hijack This log.

http://www.geekpolice.net/malware-removal-hijackthis-logs-f11/read-this-before-posting-t3821.htm

Hi and thanks for responding.

Here's the hijack log below:

-----------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:38 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AM Browser\AM Browser.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\DeWayne Fenderson\Desktop\OTMoveIt3.exe
C:\Program Files\AM Browser\AM Browser.exe
C:\Documents and Settings\DeWayne Fenderson\Desktop\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: P2P Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P_.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: P2P Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P_.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: P2P Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P_.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Hello.
I need to see what's installed on this machine.

• Open HijackThis
  
• Click "Open the Misc Tools section"
  
• Click "Open Uninstall Manager"
  
• Click "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

This is the uninstall list below:

-------------------------------------


Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AM Browser version 2.0.1
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom 440x 10/100 Integrated Controller
CCScore
Conexant HDA D110 MDC V.92 Modem
DAEMON Tools Toolbar
Dell Resource CD
Dell Wireless WLAN Card
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
eyeQ
FX AccuCharts
GemMaster Mystic
Global Trading System Pro
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hermes
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Intel(R) PROSet/Wireless Software
Interbank FX Trader 4 4.00
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 11
Java(TM) 6 Update 7
kgcbase
Kodak EasyShare software
Magic ISO Maker v5.5 (build 0273)
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
MediaDirect
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Report Viewer Redistributable 2005
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB954430)
mToolkit
mWlsSafe
mXML
mZConfig
netbrdg
OfotoXMI
Otto
OutlookAddinSetup
P2P_Energy Toolbar
PDF Settings
PowerISO
QuickSet
QuickTime
Safari
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SFR
SHASTA
SigmaTel Audio
skin0001
SKINXSDK
Sonic Encoders
staticcr
Synaptics Pointing Device Driver
tooltips
TorrentPrivacy 1.2.7.0
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
UseNeXT
VPRINTOL
Windows Imaging Component
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB908250
Windows XP Service Pack 3
WinRAR archiver
WIRELESS

----------------------------------------------------------------------

This is what I got from hijack uninstall

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• J2SE Runtime Environment 5.0 Update 6
  
• Java(TM) 6 Update 7
  
• P2P_Energy Toolbar
  

You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Since MBAM is already on the system, lets use that.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Sorry for taking so long to reply, another matter came up.

Here's the MBAM log below:

----------------------------------------------------------------



Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/29/2008 3:10:50 PM
mbam-log-2008-12-29 (15-10-50).txt

Scan type: Quick Scan
Objects scanned: 51596
Time elapsed: 6 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------

Nothing was found, even after the update and the problem still exist.

Hello.
The resycled malware infects external drives, so if you have any external drives or USB drives, please plug them in and do this.

• Download combofix from here, use the top links - combofix.exe
  
• Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Back again with Combofix log.

After running it, I am now able to access both my internal and external drives, but 'Troj/Rustok-N' still exist.

Here the Combofix log below(really long):

------------------------------------------------------------------------------------------------



ComboFix 08-12-28.04 - DeWayne Fenderson 2008-12-29 15:46:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.608 [GMT -6:00]
Running from: c:\documents and settings\DeWayne Fenderson\Desktop\ComboFix33.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
G:\Autorun.inf
G:\resycled
g:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-29 02:29 . 2008-12-29 02:29 d-------- C:\Rustbfix
2008-12-29 01:40 . 2008-12-29 01:40 d-------- C:\fsaua.data
2008-12-27 11:09 . 2008-12-27 11:09 d-------- c:\program files\Safari
2008-12-27 02:13 . 2008-12-27 02:13 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 02:13 . 2008-12-27 02:13 d-------- c:\documents and settings\DeWayne Fenderson\Application Data\Malwarebytes
2008-12-27 02:13 . 2008-12-27 02:13 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 02:13 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 02:13 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-20 15:27 . 2008-12-20 15:27 d-------- c:\program files\MagicISO
2008-12-19 15:39 . 2008-12-19 15:39 d-------- c:\documents and settings\DeWayne Fenderson\Application Data\UseNeXT
2008-12-19 15:38 . 2008-12-19 15:39 d-------- c:\program files\UseNeXT
2008-12-17 23:28 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-12-17 23:28 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-12-17 23:28 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-12-17 23:28 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-12-17 23:28 . 2008-04-13 18:09 6,144 --a------ c:\windows\system32\kbd106.dll
2008-12-17 23:28 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-12-17 23:28 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-12-17 23:28 . 2008-04-13 18:09 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-12-17 23:28 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-12-17 23:28 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-12-17 23:28 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-12-17 23:28 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2008-12-17 17:17 . 2008-12-27 02:11 d-------- c:\documents and settings\DeWayne Fenderson\Application Data\Eltima Software
2008-12-15 19:52 . 2008-12-28 21:27 d-------- c:\documents and settings\DeWayne Fenderson\Application Data\Hermes
2008-12-15 19:51 . 2008-12-15 19:52 d-------- c:\program files\Hermes
2008-12-13 18:46 . 2008-12-16 21:40 d-------- C:\Torrentprivacy
2008-12-13 17:17 . 2008-12-13 17:17 d-------- c:\program files\uTorrent
2008-12-08 01:14 . 2008-12-08 01:33 d-------- c:\documents and settings\DeWayne Fenderson\Application Data\Professional
2008-12-08 01:13 . 2008-12-08 01:13 d-------- c:\windows\Downloaded Installations
2008-12-08 01:13 . 2008-12-08 01:13 d-------- c:\program files\FX
2008-12-07 13:30 . 2008-12-07 13:30 d-------- c:\program files\Common Files\Adobe AIR
2008-12-07 13:28 . 2008-12-08 11:35 d-------- c:\program files\NOS
2008-12-07 13:28 . 2008-12-08 11:35 d-------- c:\documents and settings\All Users\Application Data\NOS
2008-12-06 20:48 . 2008-12-07 13:23 d-------- c:\documents and settings\DeWayne Fenderson\Application Data\U3
2008-12-03 17:34 . 2008-12-03 20:29 d-------- c:\program files\fxsolutions
2008-11-30 20:52 . 2008-11-30 20:52 d-------- c:\program files\Enigma Software Group
2008-11-30 20:34 . 2008-11-30 20:38 d-------- c:\documents and settings\DeWayne Fenderson\Application Data\Uniblue
2008-11-30 20:34 . 2008-11-30 20:38 d-------- c:\documents and settings\All Users\Application Data\DriverScanner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 17:05 --------- d-----w c:\program files\Java
2008-12-16 04:28 --------- d-----w c:\program files\RGB
2008-12-16 04:22 --------- d-----w c:\program files\Common Files\Adobe
2008-12-14 00:48 --------- d-----w c:\documents and settings\DeWayne Fenderson\Application Data\uTorrent
2008-11-28 21:26 --------- d-----w c:\program files\Google
2008-11-28 20:15 --------- d-----w c:\documents and settings\All Users\Application Data\GoBit Games
2008-11-28 09:29 --------- d-----w c:\program files\FXTraderLog
2008-11-28 09:22 --------- d-----w c:\program files\SQLite ODBC Driver
2008-11-27 09:01 --------- d-----w c:\program files\MSXML 4.0
2008-11-26 12:49 --------- d-----w c:\program files\iTunes
2008-11-26 12:49 --------- d-----w c:\documents and settings\DeWayne Fenderson\Application Data\Apple Computer
2008-11-26 12:49 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 12:48 --------- d-----w c:\program files\QuickTime
2008-11-26 12:48 --------- d-----w c:\program files\iPod
2008-11-26 12:48 --------- d-----w c:\program files\Bonjour
2008-11-26 12:47 --------- d-----w c:\program files\Common Files\Apple
2008-11-26 12:47 --------- d-----w c:\program files\Apple Software Update
2008-11-26 12:47 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-26 12:47 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-26 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-26 11:58 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-26 11:46 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-11-26 11:34 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 11:34 --------- d-----w c:\program files\Infinite Mind LC
2008-11-26 11:00 --------- d-----w c:\program files\DAEMON Tools Toolbar
2008-11-26 10:56 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-26 10:56 --------- d-----w c:\documents and settings\DeWayne Fenderson\Application Data\DAEMON Tools
2008-11-26 10:55 --------- d-----w c:\program files\PowerISO
2008-11-26 10:55 --------- d-----w c:\program files\AM Browser
2008-11-26 10:49 --------- d-----w c:\program files\Interbank FX Trader 4
2008-11-26 10:42 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-26 10:39 --------- d-----w c:\program files\Microsoft.NET
2008-11-26 10:05 --------- d-----w c:\documents and settings\DeWayne Fenderson\Application Data\Skinux
2008-11-26 10:03 --------- d-----w c:\program files\Kodak
2008-11-26 10:03 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2008-11-26 10:02 --------- d-----w c:\program files\Common Files\Kodak
2008-11-26 09:45 --------- d-----w c:\program files\CyberLink
2008-11-26 09:45 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-11-26 09:45 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-11-26 09:44 --------- d-----w c:\program files\Dell
2008-11-26 05:09 --------- d-----w c:\program files\Broadcom
2008-11-26 05:08 --------- d-----w c:\program files\Synaptics
2008-11-26 05:08 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-26 05:07 --------- d-----w c:\program files\CONEXANT
2008-11-26 05:06 --------- d-----w c:\program files\SigmaTel
2008-11-26 04:30 --------- d-----w c:\program files\GemMaster
2008-11-26 04:30 --------- d-----w c:\program files\EnglishOtto
2008-11-26 04:19 --------- d-----w c:\program files\microsoft frontpage
2008-11-26 04:12 --------- d-----w c:\program files\Windows Plus
2008-11-26 03:24 5 ----a-w c:\windows\system32\drivers\DELL_XPS_MM061 .MRK
2008-11-26 03:24 5 ----a-w c:\windows\system32\drivers\1028_DELL_XPS_MM061 .MRK
2008-11-26 03:21 17,801 ----a-w c:\windows\system32\drivers\AegisP.sys
2008-11-26 03:21 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Intel
2008-11-26 03:21 --------- d-----w c:\documents and settings\DeWayne Fenderson\Application Data\Intel
2008-11-26 03:21 --------- d-----w c:\documents and settings\All Users\Application Data\Intel
2008-11-26 03:20 --------- d-----w c:\program files\Intel
2008-11-26 03:15 --------- d-----w c:\program files\Modem Helper
2008-11-10 11:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-02 08:44 56,572 ----a-w c:\windows\system32\drivers\scdemu.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-29 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-07-07 282624]
MiniEYE-MiniREAD Launch.lnk - c:\program files\Infinite Mind LC\eyeQ\ARLaunch.exe [2008-11-26 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 00:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Torrentprivacy\\Torrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Torrentprivacy\\SSHTunel.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)


*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-24 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://support.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\GoBitGamesPlayer.dll - O16 -: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429}
hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab
c:\windows\Downloaded Program Files\GoBitGamesPlayer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 15:48:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxxhopavbd.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1096)
c:\windows\System32\BCMLogon.dll
c:\windows\System32\MSVCP71.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2008-12-29 15:49:13
ComboFix-quarantined-files.txt 2008-12-29 21:49:11

Pre-Run: 57,909,321,728 bytes free
Post-Run: 58,268,319,744 bytes free

216 --- E O F --- 2008-12-18 09:00:51

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
msqpdxserv.sys

File::
c:\WINDOWS\system32\drivers\msqpdxxhopavbd.sys

Folder::
C:\Rustbfix

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Ok I did what you have instructed me to do, but it tells me that I do not have the recovery console and then it asks if I want to install it.

I said yes. It then started to download it, but stopped shortly after and the computer said that it has to shutdown in order not to cause harm to itself.

The computer also said that it needed to do a physical memory dump and that I should restart windows in safemode.

What should I do from here?

Eeek.
I fear the machine may refuse to boot from this point, but see if you can get into safe mode.

Ok, I will try to do that.

Here is what it said: IRQL_NOT_LESS_OR_EQUAL

I don't know it that means anything or not.

Also, I tried to download the recovery console from Microsoft's site and it would not download.

It said, "This program cannot display the webpage".

Let me try to get into safemode and try the fix.

By the way, it still reboots, as you can see.

Glad it still boots.
Don't use combofix, we'll try something else.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :services
  msqpdxserv.sys
  
  :files
  c:\WINDOWS\system32\drivers\msqpdxxhopavbd.sys
  C:\Rustbfix
  
  :reg
  [-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Belahzur!!! You are Da Man!!

You and I are friends 4life.

Cheers to you!

It worked as you can see. Thanks so much for your help.

If theres anything that I can do for you, please let me know.

Also, if I'm suppose to leave you some feed back, I will do it, just tell me how and where and who to post it.

You'z need me bump someone off Boss?


Thanks again for your expertise. Problem solved!:victory: